Bug 66010 - REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
Summary: REGRESSION(r92670-r92744): WebKit crashes when opening Gmail
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P1 Critical
Assignee: Nobody
URL:
Keywords:
: 66011 66115 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-08-10 13:38 PDT by Ryosuke Niwa
Modified: 2011-08-16 10:38 PDT (History)
8 users (show)

See Also:

Attachments
the patch (1.59 KB, patch)
2011-08-10 15:46 PDT, Filip Pizlo 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ryosuke Niwa 2011-08-10 13:38:52 PDT 
Reproduction steps:
1. Go to www.google.com/mail/
Crash!

This appears to be JSC issue because it doesn't reproduce on Chromium.
Comment 1 Oliver Hunt 2011-08-10 14:06:47 PDT 
Can we get a crashtrace and platform?
Comment 2 Ryosuke Niwa 2011-08-10 14:10:00 PDT 
Stack trace:

Thread 0 Crashed:  Dispatch queue: com.apple.main-thread
0   com.apple.JavaScriptCore      	0x00000001007daec5 JSC::DFG::JITCompiler::jumpFromSpeculativeToNonSpeculative(JSC::DFG::SpeculationCheck const&, JSC::DFG::EntryLocation const&, JSC::DFG::SpeculationRecovery*, JSC::DFG::NodeToRegisterMap&, JSC::DFG::NodeToRegisterMap&) + 5909
1   com.apple.JavaScriptCore      	0x00000001007dc25a JSC::DFG::JITCompiler::linkSpeculationChecks(JSC::DFG::SpeculativeJIT&, JSC::DFG::NonSpeculativeJIT&) + 282
2   com.apple.JavaScriptCore      	0x00000001007dcc87 JSC::DFG::JITCompiler::compileBody() + 2359
3   com.apple.JavaScriptCore      	0x00000001007ddf04 JSC::DFG::JITCompiler::compileFunction(JSC::JITCode&, JSC::MacroAssemblerCodePtr&) + 788
4   com.apple.JavaScriptCore      	0x0000000100817241 JSC::FunctionExecutable::compileForCallInternal(JSC::ExecState*, JSC::ScopeChainNode*, JSC::ExecState*) + 2193
5   com.apple.JavaScriptCore      	0x00000001008324db JSC::Interpreter::prepareForRepeatCall(JSC::FunctionExecutable*, JSC::ExecState*, JSC::JSFunction*, int, JSC::ScopeChainNode*) + 523
6   com.apple.JavaScriptCore      	0x000000010078a1af JSC::arrayProtoFuncForEach(JSC::ExecState*) + 2831
7   ???                           	0x00003b3019e011e8 0 + 65077778584040
8   com.apple.JavaScriptCore      	0x0000000100831245 JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::ScopeChainNode*, JSC::JSObject*) + 1573
9   ???                           	0x0000000106f357a0 0 + 4411578272
Comment 3 Geoffrey Garen 2011-08-10 14:10:44 PDT 
<rdar://problem/9931900>
Comment 4 Ryosuke Niwa 2011-08-10 14:10:50 PDT 
(In reply to comment #1)
> Can we get a crashtrace and platform?

Snow Leopard on MacPro.
Comment 5 Filip Pizlo 2011-08-10 15:46:46 PDT 
Created attachment 103545 [details]
the patch
Comment 6 Geoffrey Garen 2011-08-10 16:02:08 PDT 
*** Bug 66011 has been marked as a duplicate of this bug. ***
Comment 7 WebKit Review Bot 2011-08-10 17:17:19 PDT 
Comment on attachment 103545 [details]
the patch

Clearing flags on attachment: 103545

Committed r92804: <http://trac.webkit.org/changeset/92804>
Comment 8 WebKit Review Bot 2011-08-10 17:17:24 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 9 Alexey Proskuryakov 2011-08-13 21:22:36 PDT 
*** Bug 66115 has been marked as a duplicate of this bug. ***
Comment 10 Adam Roben (:aroben) 2011-08-15 06:32:47 PDT 
Is it not possible to write an automated regression test for this?
Comment 11 Geoffrey Garen 2011-08-15 11:10:32 PDT 
Seems like it should be possible. If possible, all checkins should come with a regression test.
Comment 12 Filip Pizlo 2011-08-16 10:38:45 PDT 
(In reply to comment #10)
> Is it not possible to write an automated regression test for this?

Sorry for not noting this in the ChangeLog, but there is no obvious automated regression test.  The bug arises out of misuse of a hidden "this" argument to constructor calls.  This is a synthetic notion introduced in our bytecode and our JITs - it is not exposed in the JavaScript language.

As well, the bug only happens when three different register allocators in the system (the bytecompiler's virtual register allocator, the DFG parser's virtual register allocator, and the DFG back-end's physical register allocator) all make exactly the "wrong" decision based on the input.  A test that would cause a failure just before this fix landed would be unlikely to continue to cause failures if even slight changes in register allocation were made subsequently.